MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af403c116c3b92f0d3d363f85a7d70e97abcffbe2278651471dfe0e1a46a1945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af403c116c3b92f0d3d363f85a7d70e97abcffbe2278651471dfe0e1a46a1945
SHA3-384 hash: e4d942e79a4a995c0ae08b5809465edd1a08b73753ebf9d9cd0314b7487da0c4e7cef409feca9f28eb6b1734d7d56093
SHA1 hash: 3859a36391800f4f9c58588a855e12fc98c9e71b
MD5 hash: f7930920de88f079106960fc8122d875
humanhash: winter-charlie-paris-eleven
File name:Quote best price of 75000pcsPO.exe
Download: download sample
File size:691'992 bytes
First seen:2020-09-02 13:25:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:bBPYE9q5NR7qyzpZ0Mae4ULHb8YgdDvb4PXxCYg5p7Xj+lv0W19J3D8ZjNL8:aE9q3R7BzpQGhgNbP7XClv04a8
Threatray 28 similar samples on MalwareBazaar
TLSH 0EE45B3A398A4128C869467404289CC2BA646E473AD98F7F71E7734C4F32C9B7F6645F
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:Opera Software AS
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:May 24 00:00:00 2019 GMT
Valid to:Aug 3 12:00:00 2022 GMT
Serial number: 0D31C23EB2249CE611B953FB16EA0D25
Thumbprint Algorithm:SHA256
Thumbprint: 5357ADBD68AC64FE4B2F37A7CD097E65B6F4B165FA4A03F646DBC6EDB817FDDA
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Downloader.Firseria-6870500-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/457500
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af403c116c3b92f0d3d363f85a7d70e97abcffbe2278651471dfe0e1a46a1945/
Threat name:
ByteCode-MSIL.Spyware.Golangot
Create hunting rule
Status:
Malicious
First seen:
2020-09-02 06:34:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5adyelmhojpbu6tmp4fu7lq5f5lz756ej4gkfdr37qodjdkdfcq._file
Verdict:
unknown
Similar samples:
159921268e1634b4695fdeb118786e1d8b3607e775ec42913beeae5f497d0011
1ede91e067622d1f60365bd4fb7345b7be7958d95d76361238869b39b6cc62cd
221c96dcf9d3f774e6d79c3db0c56885381f2134f381cb471f08c75072adba26
4b957c9c068b3545eeebdafc11543b47228daf7e5bfa9500cf5660c1236a8184
6ff1a967067a8a84fa90a7d4a47b409737b144d325d613d9d30314d575dd3e4e
72401bf3b38c9ea0fafb14afa9fd35484add4163752be1f7243a9e7d6fa3c7af
8ab140bb28604e13079fa3aa37f12f521a7ab3619b979e0ca505a337a544431b
acf68538ba67b523ff52999cc40e2ef3383c53b5b5fe53c634cf7c52f5c9dbe3
e14485ceea75d472b156c60312308d431fbd7bf1fbc0b4994fb47c05b79c6ddf
fbab77a9399461b71d65d586ad2aac134941f7fac37e5e607822749a627b3937
+ 18 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
agilenet keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200902-y5k9gl5h5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af403c116c3b92f0d3d363f85a7d70e97abcffbe2278651471dfe0e1a46a1945

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/54348/

Comments